Licia Florio, NORDUnet, licia@nordu.net

David Groep, Nikhef & Maastricht University, davidg@nikhef.nl �Christos Kanellopoulos, GEANT, christos.kanellopoulos@geant.org

​

Supporting access for research communities with the BPA

What is maturing under the broad-leaved AARC-TREE

TNC24 Rennes

“The Trust Roots That Make Research Grow”

1

Authentication and Authorisation for Research and Collaboration

https://aarc-community.org

We live in a federated world! With researchers collaborating across borders

2

https://aarc-community.org

Collaboration: an inherently-cross-domain issue .. and an AARC solution?

3

Example from the LHC Computing infrastructure WLCG

170 sites�~50 countries & regions�~20000 users

just how many interactions ??

people photo: a small part of the CMS collaboration in 2017, Credit: CMS-PHO-PUBLIC-2017-004-3; site map: WLCG sites from Maarten Litmaath (CERN) 2021

AuthN & AuthZ, architecture and trust should �align with collaboration structures, and �be outward facing: open, scalable, & multi-domain

https://aarc-community.org

AARC Blueprint Architecture: one BPA many communities

4

https://aarc-community.org

What is the AARC BPA?

5

The Authentication and Authorization For Research and Collaborations BluePrint Architecture provides a set of building blocks for software architects and technical decision makers who are designing and implementing access management solutions for international research collaborations. By design the AARC BPA is technology agnostic and provides an architectural design for those the deploy AAIs.

Science Clusters, Research Infrastructures and e-Infrastructure Providers have been been implementing their AAIs using the AARC Blueprint Architecture in order to manage their users and the access rights to resources

https://aarc-community.org

Interoperability – more than just the nice colours

6

https://aarc-community.org/guidelines/

https://aarc-community.org

An AARC BPA to enable federated access for eScience

7

Authentication and Authorization for Research Collaboration – https://aarc-community.org/

• Access services using identities from users’ Home Organizations, but hide complexity of multiple IdPs, federations, AA technologies
• One persistent identity across all the community’s services through account linking
• Access services based on role(s) users have in the collaboration.
• For both web and non-web resources
• Integration of guest identity solutions
• Support for stronger authentication assurance mechanisms

https://aarc-community.org

The AARC BPA: the IdP-SP proxy

​

8

• Access services using identities from users’ Home Organizations, but hide complexity of multiple IdPs, federations, AA technologies
• One persistent identity across all the community’s services through account linking
• Access services based on role(s) users have in the collaboration.
• For both web and non-web resources
• Integration of guest identity solutions
• Support for stronger authentication assurance mechanisms

​

Authentication and Authorization for Research Collaboration – https://aarc-community.org/

Graphics: Ann Harding and Lukas Hammerle (SWITCH )– from a long time ago now!

https://aarc-community.org

The Community AAI and the Infrastructure Proxy – structuring elements

9

Infrastructure Proxy

The Infrastructure Proxy, enables Infrastructures with a large number of resources, to provide them through a single integration point, where the Infrastructure can maintain centrally all the relevant Policies and business logic for making available these resources to multiple communities

Community AAI

The purpose of the Community AAI is to streamline researchers’ access to services, both those provided by their own infrastructure as well as the services provided by infrastructures that are shared with other communities.

https://aarc-community.org

AARC TREE: new funding to enhance the impact of AARC

10

https://aarc-community.org

AARC Technical Revision to Enhance Effectiveness

11

AARC TREE Project Main Facts

​

Start date: March 2024

Duration: 24 M

22 Partners

NDN coordinator

2,5 M Euro

Updated interoperability framework

​

Bring RIs, e-Infrastructures and relevant stakeholders together

https://aarc-community.org

AARC Technical Revision to Enhance Effectiveness

12

AARC TREE Project Main Facts

​

Start date: March 2024

Duration: 24 M

22 Partners

NDN coordinator

2,5 M Euro

Updated interoperability framework

​

Bring RIs, e-Infrastructures and relevant stakeholders together

Make AARC3 a global activity to engage �everyone interested in the evolution of AARC BPA

https://aarc-community.org

Challenges to address in AARC TREE

13

Interoperability with broader provider base

(IdPs, eIDs, social IdPs)

​

Requirements for assurance

​

Digital wallets

​

Better uptake and integration of the BPA

​

Proliferation of AARC Proxies

Service account information

https://aarc-community.org

AARC Community - open for all

14

AARC Engagement Group for Infrastructures

​

​

​

The forum of e/r-Infras that operate an AARC BPA complaint AAI.

It’s a closed group on purpose as we want to get feedback from the hands on group.

They approve the AARC guidelines.

​

​

​

​

​

Technical WG

• Led by Nicolas and Christos
• Where technical guidelines are discussed
• Anybody can join the discussion:

https://lists.geant.org/sympa/info/aarc-architecture

​

​

​

​

​

​

​

​

​

​

​

​

​

Policy WG

• Led by Dave and David
• Supported by EnCo and IGTF
• Anybody can join the discussion: policy@aarc-community.org�https://lists.geant.org/sympa/info/aarc-na3

​

​

​

​

​

​

​

​

​

​

https://aarc-community.org

Right now in AARC TREE:

Time to engage ?

Use Cases Collection and Analysis

with the large ESFRI RIs, clusters, and national nodes to validate BPA effectiveness and act as a flywheel to increase its application

15

Compendium & Recommendations

Have the validators and use cases have a broader impact by promoting them as ‘community good practice’ examples – and telling the world about it.

https://aarc-community.org

Dedicated work package to collect requirements from (new) communities

16

Landscape analysis of AARC BPA adoption

• Conduct an AARC BPA adoption survey among the RIs,�online survey accompanied by the arranged conversations with the individual RIs
• Collect information on current deployment of AARC BPA AAIs and adoption of guidelines

Result: Landscape analysis of AARC BPA adoption (around December 2024)

Use cases requirements & consultations

• Design and create survey (including technology and policy questions) �based on FIM4Rv2 paper, Evolution, EOSC AAI TF requirements
• Engage FIM4R, AEGIS, EOSC AAI TF, National Ris, EU data spaces to capture requirements
• Discus with our ESFRIs to get expectations & requirements via consultations, workshops etc

Result: Use cases requirements described in a white paper (target Q1 2025)

Handover to Compendium

https://aarc-community.org

Compendium and Recommendations

17

Key result in the ‘2^nd year’ (April 2025 - February 2026) is the Compendium

​

'compendium of AARC best practices’ with recommendations for a common long-term strategy for AAI services in pan-European Research Infrastructures in Europe

​

• based on the use case input and researcher requirements
• promotes coherent and interoperable architecture and policy
• iterate and validate with the infrastructures at large

describe the road that collaborative research infrastructure AAI will take!

https://aarc-community.org

Part II: AARC BPA Technical Guidelines

18

https://aarc-community.org

19

https://aarc-community.org

And of course with more AARC Compliant AAIs come more proxies

20

… it’s time for a Technical Revision to Enhance Effectiveness!

https://aarc-community.org

Community User Identifiers (CUID)

Problem

• How to identity the user uniquely and persistently across AAIs that implement the AARC BPA

​

Guidelines

• AARC-G026 - Guidelines for expressing community user identifiers

​

Summary

• A subject identifier, where the subjects are generally but not exclusively natural persons.
• Identifies the subject across AAIs
• Non-reassignable, persistent
• Managed by the Community AAI

21

https://aarc-community.org

Authorisation and affiliation in community use cases

Problem

• How to communicate affiliation of a user with the community

​

Guidelines

• AARC-G025 - Guidelines for expressing affiliation information
• AARC-G057 - Inferring and constructing voPersonExternalAffiliation

22

https://aarc-community.org

Parte III: How to Establish Trusted and Secure Operations

23

https://aarc-community.org

Policy and good practice underpinning the AARC Blueprint BPA

Infrastructure alignment and policy harmonisation: helping out the proxy

• Operational Trust for Community and Infrastructure BPA Proxies
• Increase acceptance of research proxies by identity providers through common baselines
• Review infrastructure models for coordinated AUP, T&C, and privacy notices, improving �cross-infrastructure user experience (users need to click only once)

User-centric trust alignment and policy harmonization: helping out the community

• Lightweight community management policy template
• Guideline on cross-sectoral trust in novel federated access models
• Assurance in research services through (eIDAS) public identity assertion

​

24

https://aarc-community.org

How to establish secure operation for your (AARC BPA) proxy?

The Challenge

• How to securely operate proxies, attribute authorities and issuers of statements for entities?

Guideline

• AARC-G071 Guidelines for Secure Operation of Attribute Authorities

Summary

• Operational security processes and procedures
• Requirements on traceability, auditability, and logging
• Requirements on the secure operation
• Requirements on securing the interactions

25

https://aarc-community.org

Operational guideline landscape for - proxy or source - AAI components

26

Authentication/identity sources

Sirtfi

(eduGAIN) baselining, RAF

IGTF AP Profiles

NIST SP800-63

eduGAIN sec. team workflow

RFC6238/4226�FIPS140

NIST SP800-53

REFEDS MFA

Service provider operations

ISO27k

Sirtfi

Infrastructure response plans

Ephemeral credentials

• trusted credential stores
• protection at rest

https://aarc-community.org

Operational security focus in the BPA: beyond just the IdPs

27

Guidelines for Secure Operation of Attribute Authorities and other issuers of access-granting statements �(AARC-I048, in collaboration with IGTF AAOPS)

Community membership management directories and attribute authorities

• integrity of membership
• identification, naming and traceability
• site and service security
• protection on the network
• assertion integrity

Community membership management directories and attribute authorities

• integrity of membership
• identification, naming and traceability
• site and service security
• protection on the network
• assertion integrity

https://aarc-community.org

When the AA is in a managed environment …

Many of the recommendations are already implemented ‘implicitly’

• because common software implements it: e.g. signing SAML assertions and JWTs
• because a good data centre already has network monitoring and central logging in place
• because you signed up to Sirtfi (didn’t you?) – so you collaborate in incident response
• because you have trained IT operations personnel looking after the service

​

And some are intuitive best practice

• like assigning a unique and lasting name to a group
• because implemented controls ought to be those that have been documented

​

Some items contain reminders about appropriate values and recommendations � that are good practice - based on the relevant standards involved

28

https://aarc-community.org

Deployment guidance included …

29

https://aarc-community.org

AARC-G071 Example requirement: Attribute Assertions

AAS-3

If an AA Operator issues assertions containing a lifetime, this lifetime must be compliant with the Community policies, as short as reasonably possible, and the assertion must not be valid beyond the validity period of the attributes it contains. The Community Management is responsible for the content of the assertion, as issued, during its entire lifetime

AAS-4

Re-issuance of assertions must be based on information held in the AA at the time of re-issuance.

30

https://aarc-community.org

AARC-G071 example requirement: Operational Environment

OE-1

Through its personnel or by contractual measures, the AA Operator should ensure appropriate controls are in place over the security context.

OE-2

The AA must be located in a physically secure environment where access is controlled and limited to specific trained personnel.

OE-3

The protections on the AA and its operational environment, including the credentials of the AA administrators and operators, should meet or exceed the requirements of all of the communities hosted in the AA.

31

https://aarc-community.org

AARC-G071 Example requirement: Assessment and Peer Review

AR-5

The AA operator must disclose and discuss, on request, those aspects of their operational environment that are relevant to the evaluation of the security and trust by the Communities and Relying Parties.

AR-6

The AA Operator must be able and willing to collaborate with affected organisations in the management of a security incident.

AR-7

The AA Operator should review roles, rights, and access of its staff at least once per year.

32

https://aarc-community.org

AARC-G071 Example requirement: Relying Party Obligations “the other side”

RP-1

Relying Parties must, at the time of reliance, verify the integrity and validity of attribute assertions and any binding to a valid subject, to their satisfaction.

RP-2

Relying Parties must rely on assertions with an explicit lifetime only during their validity period.

RP-3

Relying Parties must assess the risk of relying on assertions with no explicit lifetime and should not rely on them for longer than the relevant industry standards for that type of assertion recommend.

RP-4

Any long-lived, non-revocable statements received from an AA must be appropriately protected for confidentiality and integrity, by proxies and other intermediate entities.

33

https://aarc-community.org

Links to (probably) most well-known AARC outcome for security …

34

https://refeds.org/SIRTFI

Security Incident Response Trust Framework for Federated Identity

https://aarc-community.org

Our federated world is growing more complex

35

Images: SURF SSRAM and EGI by Maarten Kremers, NDFI AAI (Marcus Hardt), EOSC AAI for the EOSC Core and Exchange Federation for the EOSC European Node by Christos Kanellopoulos, Nicolas Liampotis, David Groep (June 2023 version)

https://aarc-community.org

Response and traceability across IdP-SP Proxies and the limits of Sirtfi

36

Guidelines for a joint operational trust baseline for membership management and proxy components, �supplemented by policy guidance for sectoral federations with more specific policies where needed

• ‘How can we convey the trust in what is in and behind the proxy?’
• ‘How to provide timely traceability between services and identities through the proxy?’

Based on requirements from FIM4R, WISE, and the proxy operators in AEGIS.

joint work with GN5-1 EnCo and eduGAIN CSIRT

images: AARC Sirtfi v1 exercise (Hannah Short), eduGAIN security TTX (Sven Gabriel, eduGAIN CSIRT)

|

Srtfi v1

https://aarc-community.org

Proxies have more challenges as well: AUPs, T&Cs, Privacy notices, …

For large ‘multi-tenant’ proxies

• some subset users in some communities use a set of services – �how to present their Terms and Conditions and their privacy policies, so that users
• only see the T&Cs and notices for services they will access
• this does not to need to be manually configured for each community
• is automatically updated when services join

​

For community and dedicated proxies

• when new (sensitive) services join, who needs to see the new T&Cs?
• can we communicate existing acceptance of T&Cs to downstream services?

​

What is an acceptable user experience in clicking through agreements? �What is effective in exploiting the WISE Baseline AUP? What do researchers need?

‘with fewer clicks to more resources’

37

https://aarc-community.org

Helping out the community: the policy toolkit for communities & trust

“small to mid-sized communities do not have the resources to maintain a bespoke community management policy”

this leaves communities and SP operators unclear about trust assurance level of members

38

Today’s BPA proxy links attributes as well as trust

And what about assurance: we’ll have more, and maybe more reliable, sources of assurance in the near term?

https://aarc-community.org

Production Implementations of the AARC BPA�EOSC and MyAccessID as Real Life Examples

39

https://aarc-community.org

Production Implementations: EOSC

40

EOSC Access Federation

Registers, maintains, and publishes the trust anchors and the associated metadata for all the entities in the EOSC Federated AAI. Provides common horizontal functionalities.

Identity Hub

Provides user authentication and consistent user information to services in the EOSC Federated AAI.

EOSC Core Infrastructure Proxy

Connects the EOSC Core Services

EOSC Exchange Infrastructure Proxy

Connects the EOSC Exchange Services

X509v3 Token Translation Service (TTS)

Authenticates users with their X.509v3 credentials.

https://aarc-community.org

Production Implementations: MyAcademicID

41

MyAcademicID Service

The MyAcademicID Service was launched in November 2020 MyAcademicID Project

EWP+ / University Alliances��Provides an Authentication Proxy for the core Erasmus+ services (Online Learning Agreement, Dashboard, the Erasmus+ App).

eduGAIN, eIDAS & Google Authentication��Supports authentication via eduGAIN, eIDAS and Google

Provides a catch-all IdP of Last Resort

​

​

https://aarc-community.org

Production Implementations: MyAccessID

42

• HPC Datacenters are in the process of transforming to Infrastructure Service Providers with a diverse Service Portfolio
• These infrastructure services become available in different administrative and policy domains, which we call Infrastructure Service Domains
• A common Authentication and Authorization Infrastructure enables uniform accessibility to scientists and engineers at European scale

https://aarc-community.org

MyAccessID: A common AAI for ISDs in HPC

Production Implementations: MyAccessID

44

https://aarc-community.org

Authorisation and affiliation in MyAccessID/Fenix example

45

https://aarc-community.org

Level of Assurance in MyAccessID/EuroHPC

46

2025

https://aarc-community.org

Assurance information in identity linking

Problem

• How to evaluate assurance information when linking identities

​

Guidelines

• AARC-G031 - Guidelines for evaluating the combined assurance of linked identities
• AARC-G009 - Account linking and LoA elevation use cases

​

Summary

• Identifier uniqueness: AND function → Cannot assert unique ID for the combined evaluation when one of the linked identities lacks it
• Identity proofing: resolves to the effective identity used
• Step-up Identity proofing: if the identifier uniqueness and level of authentication are the same, LoA can be assigned to the weaker identity
• Step-up Authentication: user may register a second authentication factor to enhance the strength of the authentication method and effectively the associated LoA

47

https://aarc-community.org

Level of Assurance in MyAccessID/EuroHPC

48

2021

2022

2023

Plan

Reality

LUMI requirements translated into LoA

MyAccessID warning message 1. March deadline

Users react

LUMI reacts

Deadline changed for later in 2023

Start to work on alternative solution: Identity vetting

Regular coordination with federation operators

LoA requirements socialised within LUMI consortium and wider

LoA tracking shows about 15% adoption

LoA tracking shows improvement 23% adoption

Well accepted, half of the partners declared support by their federation already

Well received, triggered internal discussion to adopt LoA in several federations

Identity vetting through eduid.se implemented

`

LoA policy enforced

https://aarc-community.org

Level of Assurance in MyAccessID/EuroHPC

49

https://aarc-community.org

Thanks to the AARC Community, including folk from whom we re-used graphics and material in this overview. In random order: Licia Florio, Nicolas Liampotis, Christos Kanellopoulos, Marina Adomeit, Janos Mohacsi, Ilaria Fava, Slavek Licehammer, Dave Kelsey, Ian Neilson, Marcus Hardt, Mischa Salle, Hannah Short, and Maarten Kremers.

Thank you

Any Questions?

© members of the AARC Community and the AARC TREE consortium.

The work leading to these results has received funding from the European Union and other sources.

https://aarc-community.org

Co-funded by the European Union. Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union. Neither the European Union nor the granting authority can be held responsible for them. Grant Agreement No. 101131237 (AARC TREE).

Co-funded by �the European Union

https://aarc-community.org

Core AAI Platform Roadmap

Christos Kanellopoulos (GEANT)

Core AAI Platform

Core AAI Platform Roadmap

FENIX Design

FENIX�Implementation

FENIX

Pilot

FENIX Production

MyAccessID & PUHURI Pilot

MyAccessID & PUHURI Design

MyAccessID & PUHURI Production

Federated�SSH CA

PoC

MFA - Strong Authentication

EUDI Wallet Pilot

Support for Advanced Use Cases

Identity�Vetting Pilot

EuroHPC Federated Platform

Federated�SSH CA

Pilot

Identity Vetting PoC

MyAccessID FENIX Production

The Core AAI Platform - Features

Identity vetting

Multi-Factor Authentication

The federated SSH CA

MyAccessID: A common AAI for ISDs in HPC

MyAccessID: A common AAI for ISDs in HPC

MyAccessID: A common AAI for ISDs in HPC

Core AAI Platform Roadmap

FENIX Design

FENIX�Implementation

FENIX

Pilot

FENIX Production

MyAccessID & PUHURI Pilot

MyAccessID & PUHURI Design

MyAccessID & PUHURI Production

Federated�SSH CA

PoC

MFA - Strong Authentication

EUDI Wallet Pilot

Support for Advanced Use Cases

Identity�Vetting Pilot

EuroHPC Federated Platform

Federated�SSH CA

Pilot

Identity Vetting PoC

MyAccessID FENIX Production

Registrar�Pilot

EUDI Wallet Pilot

Thank you

Christos Kanellopoulos (GEANT)

For Reference - Current Work in Progress

64

https://aarc-community.org

More complex Examples

65

https://aarc-community.org

OpenID connect - complex topologies, how do we enable trust

66

https://aarc-community.org

OpenID connect - complex topologies, how do we enable trust

Problem

• How to convey meta-information about a token from an Authorization Server (AS) to the protected resource even when there is no direct trust relationship between the protected resource and the token issuer.

​

Guideline

• AARC-G052 OAuth 2.0 Proxied Token Introspection
• AARC-G058 Establishing trust between OAuth 2.0 Authorization Servers
• AARC-GXXX OAuth2 Token Profile

​

Summary

• Models for validating tokens across infrastructures
• Establishing trust across interfederations of AAIs
• Speaking the same language

67

LAST CALL

WIP

TODO

https://aarc-community.org

AARC-G052 OAuth 2.0 Proxied Token Introspection

• Offline Token Validation by the RS

​

• Token introspection (RFC7662) invoked by RS, with offline token validation performed by AS

​

• Token introspection invoked by RS, with proxied token introspection performed by the AS

68

https://aarc-community.org

Offline token validation performed by the RS

69

https://aarc-community.org

Token introspection (RFC7662) invoked by RS, with offline token validation performed by AS

70

https://aarc-community.org

Token introspection invoked by RS, with proxied token introspection performed by the AS

71

https://aarc-community.org

AARC-G052 OAuth 2.0 Proxied Token Introspection

72

https://aarc-community.org

Evolve the BPA to address the more complex (and the simpler) worlds

73

guidelines for harmonising expression of community user attributes

• reduce inconsistencies between implementations
• improve interoperability & end-user usability across research community communities and infrastructures

Authorisation guidelines

• best practises to enable efficient & effective sharing of federated resources

Decentralised identities

• guidance for digital wallets linked to BPA

Extend AARC BPA

• improve scalability
• leverage emerging standards �like OpenID Federation

https://aarc-community.org

How to express community identity attributes?

74

​

• “How to express the identifier of a user?” �→ AARC-G026
• “How to express the groups and roles of a user?” �→ AARC-G069 (was AARC-G002)
• “How to express resource capabilities of a user?” �→ AARC-G027
• “How to express the home institute of a user?” �→ AARC-G025
• How to express user assurance information�when interacting with another proxy?” �→ RAF & AARC-G021

​

AARC-G056

https://aarc-community.org

AARC Blueprint Architecture ‘BPA2025’!

75

https://aarc-community.org

76

Additional resources

https://youtu.be/Xpwb6BNxNW4

https://aarc-community.org/

https://aarc-community.org

Thanks to the AARC Community, including folk from whom we re-used graphics and material in this overview. In random order: Licia Florio, Nicolas Liampotis, Christos Kanellopoulos, Marina Adomeit, Janos Mohacsi, Ilaria Fava, Slavek Licehammer, Dave Kelsey, Ian Neilson, Marcus Hardt, Mischa Salle, Hannah Short, and Maarten Kremers.

Thank you

Any Questions?

© members of the AARC Community and the AARC TREE consortium.

The work leading to these results has received funding from the European Union and other sources.

https://aarc-community.org

Co-funded by the European Union. Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union. Neither the European Union nor the granting authority can be held responsible for them. Grant Agreement No. 101131237 (AARC TREE).

Co-funded by �the European Union

https://aarc-community.org